Decompression exploit check

h2non / imaginary

Fast, simple, scalable, Docker-ready HTTP microservice for high-level image processing

https://fly.io/docs/app-guides/run-a-global-image-service/

MIT License

5.5k stars 455 forks source link

Decompression exploit check #404

Closed SeaaaaaSharp closed 1 year ago

SeaaaaaSharp commented 1 year ago

This adds the -max-allowed-resolution flag option to the application, useful for preventing the aforementioned exploit. I've also ran gofmt and bumped bimg version as the build was failing.

csware commented 1 year ago

This patch breaks the test suite.

SeaaaaaSharp commented 1 year ago

Indeed, the zero value for the flag I added was being used as a default. All good now, thanks.

SeaaaaaSharp commented 1 year ago

@h2non Sorry for the ping, but I feel like this is important enough that it deserves a bit more attention.